This is a limitation of the service. From the SSPR documentation:
Password reset is not currently supported from a Remote Desktop or from Hyper-V enhanced sessions and Hybrid Azure AD joined machines must have network connectivity line of sight to a domain controller to use the new password and update cached credentials. This means that devices must either be on the organization's internal network or on a VPN with network access to an on-premises domain controller.
That said, if you have hybrid joined computers then Windows Hello for Business password reset is possible when off site without a VPN, if you have set it up fully. https://learn.microsoft.com/en-us/windows/security/identity-protection/hello-for-business/hello-identity-verification